Manage User Accounts Using SNMP

C H A P T E R 4

Topics
Description	Links
Review the prerequisites	Before You Begin
Configure user accounts	Configure User Accounts Configure Single Sign On
Configure Active Directory settings	View and Configure Active Directory Settings View and Configure Active Directory Administrator Groups Settings View and Configure Active Directory Operator Groups Settings View and Configure Active Directory Custom Groups Settings View and Configure Active Directory User Domain Settings View and Configure Active Directory Alternate Server Settings View and Configure Redundancy Settings View and Configure Active Directory DNS Locator Settings View and Configure DNS Name Server Settings
Configure LDAP settings	Configure LDAP Settings
Configure LDAP/SSL settings	View and Configure LDAP/SSL Administrator Groups Settings View and Configure LDAP/SSL Operator Groups Settings View and Configure LDAP/SSL Custom Groups Settings View and Configure LDAP/SSL User Domain Settings View and Configure LDAP/SSL Alternate Server Settings
Configure RADIUS settings	Configure RADIUS Settings

Related Topics
For ILOM	Section	Guide
Concepts	User Account Management	Oracle Integrated Lights Out Manager (ILOM) 3.0 Concepts Guide (820-6410)
Web	Managing User Accounts	Oracle Integrated Lights Out Manager (ILOM) 3.0 Web Interface Procedures Guide (820-6411)
CLI	Managing User Accounts	Oracle Integrated Lights Out Manager (ILOM) 3.0 CLI Procedures Guide (820-6412)
The ILOM 3.0 Documentation Collection is available at: `http://docs.sun.com/app/docs/prod/int.lights.mgr30#hic`

Before You Begin

Prior to performing the procedures in this chapter, you must ensure that the following requirements are met:

To view user account information, you need the Read Only (o) role enabled.

To configure user account information, you need the User Management (u) role enabled.

To execute the snmpset command, you need to use an SNMP v1 or v2c community or an SNMP v3 user account with read/write (rw) privileges.

For examples of SNMP commands, see SNMP Command Examples.

Note - The example SNMP commands presented in this section are based on the Net-SNMP sample applications and, therefore, will only work as presented if you have Net-SNMP and the Net-SNMP sample applications installed.

Configuring User Accounts

Topics
Description	Links
Configure user accounts	Configure User Accounts Configure Single Sign On

Configure User Accounts

Note - You can use get and set commands to configure user account MIB object settings. For a description of the MIB objects used in this procedure, see User Account MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. To create a new user account with a user role of Operator, type:

% snmpset -v2c -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLocalUserRowStatus.'user1' i 4 ilomCtrlLocalUserRoles.'user1' s "operator" ilomCtrlLocalUserPassword.'user1' s "password"

3. To delete a user account, type:

% snmpset -v2c -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLocalUserRowStatus.'user1' i 6

User Account MIB Objects

The following MIB objects, properties, values, and types are valid for local user accounts.

TABLE 4-1 Valid MIB Objects, Properties, Values, and Types for Local User Accounts
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlLocal UserUsername`	A local user use rname. It must start with an alphabetical letter and may contain alphabetical letters, digits, hyphens and underscores, but cannot contain spaces. It cannot be the same as the password.	username	String	None
`ilomCtrlLocal UserPassword`	A local user password.	password	String	None
`ilomCtrlLocal UserRoles`	Specifies the role that is associated with a user. The roles can be assigned for the legacy roles of ’Administrator’ or ’Operator’, or any of the individual role IDs of ’a’, ’u’, ’c’, ’r’, ’o’ and ’s’. The role IDs can be joined together. For example, ’aucros’, where a=admin, u=user, c=console, r=reset, o=read-only, s=service.	`administrator,` `operator,` `admin(a),` `user(u),` `console(c),` `reset(r), read-only(o),` `service(s)`	String	None
ilomCtrlLocal UserRowStatus	This object is used to create a new row or to delete an existing row in the table. This property can be set to either `createAndWait(5)` or `destroy(6)`, to create and remove a user respectively.	`active(1),` `notInService(2),` `notReady(3),` `createAndGo(4),` `createAndWait(5),` `destroy(6)`	Integer	None
ilomCtrlLocal UserCLIMode	An enumerated value that describes the possible CLI modes. The `default` mode corresponds to the ILOM DMTF CLP. The `alom` mode corresponds to the ALOM CMT.	`default(1),` `alom(2)`	Integer	None

Configure Single Sign On

Single Sign On is a convenient authentication service that reduces the number of times you need to enter a password to gain access to ILOM. Single Sign On is enabled by default. As with any authentication service, authentication credentials are passed over the network. If this is not desirable, consider disabling the Single Sign On authentication service.

Note - You can use the set command to configure single sign on MIB object settings. For a description of the MIB object used in this procedure, see Single Sign On MIB Object.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. To enable Single Sign On, type:

% snmpset -v2c -cprivate -mALL SNMP_agent_ipaddress ilomCtrlSingleSignonEnabled.0 i 1

Single Sign On MIB Object

The following MIB object, value, and type are valid for Single Sign On.

TABLE 4-2 Valid MIB Object, Value, and Type for Single Sign On
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlSingl` `SignonEnabled`	Specifies whether Single Sign On (SSO) authentication should be enabled on the device. SSO allows tokens to be passed so that it is not necessary to re-enter passwords between different applications. This allows SSO between the system controller (SC) web interface and the service processor (SP) web interface, between the SC command-line interface and the SP command-line interface, and between the SC and SP interfaces and the Java Remote Console application.	`true(1),` `false(2)`	Integer	None

Configuring Active Directory Settings

Topics
Configure Active Directory Settings	View and Configure Active Directory Settings View and Configure Active Directory Administrator Groups Settings View and Configure Active Directory Operator Groups Settings View and Configure Active Directory Custom Groups Settings View and Configure Active Directory User Domain Settings View and Configure Active Directory Alternate Server Settings View and Configure Active Directory DNS Locator Settings

Topics

Description

Links

Configure Active Directory Settings

View and Configure Active Directory Settings

Note - You can use the get and set commands to view and configure Active Directory settings. For a description some of the MIB objects used in this procedure, see Active Directory MIB Objects. For descriptions of the other MIB objects, see the SUN-ILOM-CONTROL-MIB.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To view the Active Directory state, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryEnabled.0

To enable the Active Directory, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryEnabled.0 i 1

To view the Active Directory port number, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryPortNumber.0

To set the Active Directory port number, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryPortNumber.0 i portnumber

To view the Active Directory default user roles, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryDefaultRoles.0

To set the Active Directory default user roles, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryDefaultRoles.0 s acro

To view the Active Directory certificate file URI, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryCertFileURI.0

To set the Active Directory certificate file URI, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryCertFileURI.0 s URI

To view the Active Directory time out, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryTimeout.0

To set the Active Directory time out, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryTimeout.0 i 6

To view the Active Directory certificate validation mode, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryStrictCertEnabled.0

To set the Active Directory certificate validation mode, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryStrictCertEnabled.0 i 1

To view the Active Directory certificate file status, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryCertFileStatus.0

To view the event log setting for the amount of messages sent to the event log, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryLogDetail.0

To configure the event log setting so that only the highest priority messages are sent to the event log, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryLogDetail.0 i 2

To view the role that user1 is to have when authenticated via Active Directory, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryDefaultRoles.’user1’

To specify the Admin (a) role for user1 when authenticated via Active Directory, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryDefaultRoles.’user1’ s a

To view and clear the certificate information associated with the server when it is set to true, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryCertClear.0
% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryCertClear.0 i 0

To view the version of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryCertVersion.0

To view the serial number of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryCertserialNo.0

To view the issuer of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryCertIssuer.0

To view the subject of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryCertSubject.0

To view the valid start date of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryCertValidBegin.0

To view the valid end date of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirectoryCertValidEnd.0

Active Directory MIB Objects

The following MIB objects, values, and types are valid for the Active Directory

TABLE 4-3 Valid MIB Objects, Values, and Types for Active Directory
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlActive` `Directory` `Enabled`	Specifies whether the Active Directory client is enabled.	`true(1),` `false(2)`	Integer	true
`ilomCtrlActive` `DirectoryIP`	The IP address of the Active Directory server used as a name service for user accounts.	ipaddress	String	None
`ilomCtrlActive` `Directory` `PortNumbe`	Specifies the port number for the Active Directory client. Specifying zero as the port means auto-select while specifying 1 to 65535 configures the actual port.	portnumber Range: 0 to 65535	Integer	None
`ilomCtrl` `Active` `Directory` `DefaultRoles`	Specifies the role that a user authenticated via Active Directory should have. Setting this property to legacy roles of ’Administrator’ or ’Operator’, or any of the individual role IDs of ’a’, ’u’, ’c’, ’r’, ’o’ and ’s’ will cause the Active Directory client to ignore the schema stored on the Active Directory server. Setting this to ’none’ clears the value and indicates that the native Active Directory schema should be used. The role IDs can be joined together. For example, ’aucros,’ where a=admin, u=user, c=console, r=reset, o=read-only, and s=service.	`administrator,` `operator,` `admin(a),` `user(u),` `console(c),` `reset(r),` `read-only(o),` `service(s),` `none`	String	None
`ilomCtrlActive` `Directory` `CertFileURI`	This is the URI of a certificate file needed when Strict Certificate Mode is enabled. Setting the URI causes the transfer of the file, making the certificate available immediately for certificate authentication.	URI	String	None
`ilomCtrlActive` `Directory` `Timeout`	Specifies the number of seconds to wait before timing out if the Active Directory server is not responding.	Range: 1 to 20 seconds	Integer	4
`ilomCtrlActive` `Directory` `StrictCert` `Enabled`	Specifies whether the Strict Certificate Mode is enabled for the Active Directory client. If enabled, the Active Directory certificate must be uploaded to the SP so that certificate validation can be performed when communicating with the Active Directory server.	`true(1), false(2)`	Integer	true
`ilomCtrlActive` `DirectoryCert` `FileStatus`	A string indicating the status of the certificate file. This is useful in determining whether a certificate file is present or not.	status	String	None

View and Configure Active Directory Administrator Groups Settings

Note - If you were using the Net-SNMP sample applications, you could use the snmpget and snmpset commands to configure the Active Directory Administrator Groups settings. For a description of the MIB objects used in this procedure, see Active Directory Administrator Groups MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. To view the name of Active Directory administrator group ID number 2, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirAdminGroupName.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirAdminGroupName.2 = STRING: CN=spAdmins,DC=spc,DC=north,DC=sun,DC=com

3. To set the name of Active Directory administrator group ID number 2 to CN=spAdmins,DC=spc,DC=south,DC=sun,DC=com, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirAdminGroupName.2 s CN=spAdmins,DC=spc,DC=south,DC=sun,DC=com
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirAdminGroupName.2 = STRING: CN=spAdmins,DC=spc,DC=south,DC=sun,DC=com
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirAdminGroupName.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirAdminGroupName.2 = STRING: CN=spAdmins,DC=spc,DC=south,DC=sun,DC=com

Active Directory Administrator Groups MIB Objects

The following MIB objects, values, and types are valid for Active Directory Administrator Groups settings.

TABLE 4-4 Valid MIB Objects, Values, and Types for Active Directory Administrator Groups Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlActive` `DirAdminGroupId`	An integer identifier of the Active Directory Administrator Groups entry.	1 to 5 Note - This object is not accessible for reading or writing.	Integer	None
`ilomCtrlActive` `DirAdminGroup` `Name`	This string should contain a Distinguished Name that exactly matches one of the group names on the Active Directory server. Any user belonging to one of these groups in this table will be assigned the ILOM role of Administrator.	name (maximum of 255 characters)	String	None

View and Configure Active Directory Operator Groups Settings

Note - You can use the get and set commands to configure the Active Directory Operator Groups settings. For a description of the MIB objects used in this procedure, see Active Directory Operator Groups MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. To view the name of Active Directory operator group ID number 2, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirOperatorGroupName.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirOperatorGroupName.2 = STRING: ad-oper-group-ent-2

3. To set the name of Active Directory operator group ID number 2 to new-name-2, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirOperatorGroupName.2 s new-name-2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirOperatorGroupName.2 = STRING: new-name-2
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirOperatorGroupName.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirOperatorGroupName.2 = STRING: new-name-2

Active Directory Operator Groups MIB Objects

The following MIB objects, values, and types are valid Active Directory Operator Groups settings.

TABLE 4-5 Valid MIB Objects, Values, and Types for Active Directory Operator Groups Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlActive` `DirOperator` `GroupId`	An integer identifier of the Active Directory Operator Groups entry.	1 to 5 Note - This object is not accessible for reading or writing.	Integer	None
`ilomCtrlActive` `DirOperator` `GroupName`	This string should contain a Distinguished Name that exactly matches one of the group names on the Active Directory server. Any user belonging to one of these groups in this table will be assigned the ILOM role of Operator.	name (maximum of 255 characters)	String	None

View and Configure Active Directory Custom Groups Settings

Note - You can use the get and set commands to configure the Active Directory Custom Groups settings. For a description of the MIB objects used in this procedure, see Active Directory Custom Groups MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. To view the name of Active Directory custom group ID number 2, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirCustomGroupName.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirCustomGroupName.2 = STRING: CN=SpSuperCust,OU=Groups,DC=johns,DC=sun,DC=com

3. To set the name of Active Directory custom group ID number 2 to CN=SpSuperCust,OU=Groups,DC=bills,DC=sun,DC=com, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirCustomGroupName.2 s CN=SpSuperCust,OU=Groups,DC=bills,DC=sun,DC=com
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirCustomGroupName.2 = STRING: CN=SpSuperCust,OU=Groups,DC=bills,DC=sun,DC=com
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirCustomGroupName.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirCustomGroupName.2 = STRING: CN=SpSuperCust,OU=Groups,DC=bills,DC=sun,DC=com

4. To view the roles of Active Directory custom group ID number 2, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirCustomGroupRoles.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirCustomGroupRoles.2 = STRING: "aucro"

5. To set the roles of Active Directory custom group ID number 2 to User Management and Read Only (u,o), type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirCustomGroupRoles.2 s “uo"
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirCustomGroupRoles.2 = STRING: "uo"
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirCustomGroupRole.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirCustomGroupRoles.2 = STRING: "uo"

Active Directory Custom Groups MIB Objects

The following MIB objects, values, and types are valid for Active Directory Custom Groups settings.

TABLE 4-6 Valid MIB Objects, Values, and Types for Active Directory Custom Groups Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlActive` `DirCustomGroup` `Id`	An integer identifier of the Active Directory Custom Groups entry.	1 to 5 This object is not accessible for reading or writing.	Integer	None
`ilomCtrlActive` `DirCustomGroup` `Name`	This string should contain a Distinguished Name that exactly matches one of the group names on the Active Directory server. Any user belonging to one of these groups in this table will be assigned the ILOM role based on the entry’s configuration for roles.	name (maximum of 255 characters)	String	None
`ilomCtrlActiveDirCustom` `GroupRoles`	Specifies the role that a user authenticated via Active Directory should have. Setting this property to legacy roles of ’Administrator’ or ’Operator’, or any of the individual role IDs of ’a’, ’u’, ’c’, ’r’, ’o’ and ’s’ will cause the Active Directory client to ignore the schema stored on the Active Directory server. Setting this object to ’none’ clears the value and indicates that the native Active Directory schema should be used. The role IDs can be joined together. For example, ’aucros,’ where a=admin, u=user, c=console, r=reset, o=read-only, and s=service.	`administrator,` `operator,` `admin(a),` `user(u),` `console(c),` `reset(r),` `read-only(o),` `service(s),` `none`	String	None

View and Configure Active Directory User Domain Settings

Note - You can use the get and set commands to configure the Active Directory User Domain settings. For a description of the MIB objects used in this procedure, see Active Directory User Domain MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. To view the name of Active Directory user domain ID number 2, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirUserDomain.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirUserDomain.2 = STRING: <USERNAME>@davidc.example.sun.com

3. To set the name of Active Directory user domain ID number 2 to <USERNAME>@johns.example.sun.com, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirUserDomain.2 s “<USERNAME>@johns.example.sun.com”
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirUserDomain.2 = STRING: <USERNAME>@johns.example.sun.com
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirUserDomain.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirUserDomain.2 = STRING: <USERNAME>@johns.example.sun.com

Active Directory User Domain MIB Objects

The following MIB objects, values, and types are valid for Active Directory User Domain settings.

TABLE 4-7 Valid MIB Objects, Values, and Types for Active Directory User Domain Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlActive` `DirUserDomain` `Id`	An integer identifier of the Active Directory domain.	1 to 5 This object is not accessible for reading or writing.	Integer	None
`ilomCtrlActive` `DirUserDomain`	This string should match exactly with an authentication domain on the Active Directory server. This string should contain a substitution string (<USERNAME>), which will be replaced with the user’s login name during authentication. Either the principle or Distinguished Name format is allowed.	name (maximum of 255 characters)	String	None

View and Configure Active Directory Alternate Server Settings

Note - You can use the get and set commands to set the values of MIB object properties to configure the Active Directory Alternate Server settings. For a description of the MIB objects used in this procedure, see Active Directory Alternate Server MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To view the IP address of Active Directory alternate server ID number 2, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerIp.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirAlternateServerIp.2 = IpAddress: 10.7.143.236

To set the IP address of Active Directory alternate server ID number 2 to 10.7.143.246, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerIp.2 a 10.7.143.246
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirAlternateServerIp.2 = IpAddress: 10.7.143.246
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerIp.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirAlternateServerIp.2 = IpAddress: 10.7.143.246

To view the port number of Active Directory alternate server ID number 2, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerPort.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirAlternateServerPort.2 = INTEGER: 636

To set the port number of Active Directory alternate server ID number 2 to 639, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerPort.2 i 639
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirAlternateServerPort.2 = INTEGER: 639
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerIp.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirAlternateServerPort.2 = INTEGER: 639

To view the certificate status of Active Directory alternate server ID number 2, type:

% snmpget -v2c -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerCertStatus.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirAlternateServerCertStatus.2 = STRING: certificate not present

To view the certificate URI of Active Directory alternate server ID number 2, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerCertURI.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirAlternateServerCertURI.2 = STRING: none

To clear the certificate information associated with the server when it is set to true, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerCertClear.0 i 1

To view the certificate version of the alternate server certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerCertVersion.0

To view the serial number of the alternate server certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerCertSerialNo.0

To view the issuer of the alternate server certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerCertIssuer.0

To view the subject of the alternate server certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerCertSubject.0

To view the valid start date of the alternate server certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerCertValidBegin.0

To view the valid end date of the alternate server certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlActiveDirAlternateServerCertValidEnd.0

Active Directory Alternate Server MIB Objects

The following MIB objects, values, and types are valid for Active Directory Alternate Server settings.

TABLE 4-8 Valid MIB Objects, Values, and Types for Active Directory Alternate Server Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlActive DirAlternate ServerId`	An integer identifier of the Active Directory alternate server table.	1 to 5 This object is not accessible for reading or writing.	Integer	None
`ilomCtrlActive DirAlternate ServerIP`	The IP address of the Active Directory alternate server used as a name service for user accounts.	ipaddress	String	None
`ilomCtrlActiveDirAlternate ServerPort`	Specifies the port number for the Active Directory alternate server. Specifying 0 as the port indicates that auto-select will use the well known port number. Specifying 1-65535 is used to explicitly set the port number.	portnumber (range: 0 to 65535)	Integer	None
`ilomCtrlActive DirAlternate ServerCert Status`	A string indicating the status of the certificate file. This is useful in determining whether a certificate file is present or not.	status (maximum size: 255 characters)	String	None
`ilomCtrlActiveDirAlternate ServerCertURI`	This is the URI of a certificate file needed when Strict Certificate Mode is enabled. Setting the URI causes the transfer of the file, making the certificate available immediately for certificate authentication. Additionally, either `remove` or `restore` are supported for direct certificate manipulation.	URI	String	None

View and Configure Redundancy Settings

Note - You can use the get and set commands to view and configure redundancy settings. For a description of the MIB objects used in these commands, see the SUN-ILOM-CONTROL-MIB.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To view the status of the server in a redundant configuration, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRedundancyStatus.0

To view the property that controls whether the server is to be promoted or demoted from active or standby status, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRedundancyAction.0

To promote a redundant server from standby to active status, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRedundancyAction.0 i 2

To view the FRU name of the chassis monitoring module (CMM) on which this agent is running, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRedundancyFRUName.0

View and Configure Active Directory DNS Locator Settings

Note - You can use the get and set commands to configure the Active Directory DNS Locator settings. For a description of the MIB objects used in this procedure, see Active Directory DNS Locator MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. To view the state of Active Directory DNS Locator, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirDnsLocatorEnabled.0
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirDnsLocatorEnabled.0 = INTEGER: false(2)

3. To set the state of Active Directory DNS Locator ID number 2 to enabled, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirDnsLocatorEnabled.0 i 1
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirDnsLocatorEnabled.0 = INTEGER: true(1)
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirDnsLocatorEnabled.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirDnsLocatorEnabled.2 = INTEGER: true(1)

4. To view the service name of Active Directory DNS Locator ID number 2, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirDnsLocatorQueryService.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirDnsLocatorQueryService.2 = STRING: _ldap._tcp.dc._msdcs.<DOMAIN>.<PORT:636>

5. To set the service name and port number of Active Directory DNS Locator ID number 2, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirDnsLocatorQueryService.2 s “_ldap._tcp.pdc._msdcs.<DOMAIN>.<PORT:936>”
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirDnsLocatorQueryService.2 = STRING: _ldap._tcp.pdc._msdcs.<DOMAIN>.<PORT:936>
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlActiveDirDnsLocatorQueryService.2
SUN-ILOM-CONTROL-MIB::ilomCtrlActiveDirDnsLocatorQueryService.2 = STRING: _ldap._tcp.pdc._msdcs.<DOMAIN>.<PORT:936>

Active Directory DNS Locator MIB Objects

The following MIB objects, values, and types are valid for Active Directory DNS Locator settings.

TABLE 4-9 Valid MIB Objects, Values, and Types for Active Directory DNS Locator Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlActive` `DirDnsLocator` `Enabled`	Specifies whether or not the Active Directory DNS Locator functionality is enabled.	`true(1), false(2)`	Integer	false
`ilomCtrlActive` `DirDnsLocator` `QueryId`	An integer identifier of the Active Directory DNS Locator Query entry.	1 to 5 This object is not accessible for reading or writing.	Integer	None
`ilomCtrlActive DirDnsLocator QueryService`	The service name that is used to perform the DNS query. The name may contain ’<DOMAIN>’ as a substitution marker, being replaced by the domain information associated for the user at the time of authentication. The service name may also contain ‘<PORT:> ’, which can be used to override any learned port information, if necessary. For example, <PORT:636> may be specified for the standard LDAP/SSL port 636.	name (maximum of 255 characters)	String	None

Configuring DNS Name Server

Topics
Description	Links
Configure DNS Name Server	View and Configure DNS Name Server Settings

View and Configure DNS Name Server Settings

Note - You can use the get and set commands to view and configure DNS name server settings. For a description of the MIB objects used in these commands, see the SUN-ILOM-CONTROL-MIB.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To view and specify the name server for DNS, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlDNSNameServers.0
% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlDNSNameServers.0 s ‘nameservername’

To view and specify the search path for DNS, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlDNSSearchPath.0
% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlDNSSearchPath.0 s ‘searchpath’

To view state of DHCP autodns for DNS, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlDNSdhcpAutoDns.0

To set the state of DHCP autodns for DNS to enabled, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlDNSdhcpAutoDns.0 i 1

To view the number of seconds to wait before timing out if the server does not respond, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlDNSTimeout.0

To set the number of seconds to wait before timing out if the server does not respond to 5, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlDNSTimeout.0 i 5

To view the number of times a request is attempted again after a timeout, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlDNSRetries.0

To set the number of times a request is attempted again after a timeout to 5, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlDNSRetries.0 i 5

Configuring ILOM for LDAP

Topics
Description	Links
Configure ILOM for LDAP	Configure LDAP Settings

Configure LDAP Settings

Note - You can use the get and set commands to configure ILOM for LDAP. For a description of the MIB objects used in this procedure, see ILOM for LDAP MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To view whether the LDAP server is enabled to authenticate LDAP users, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapEnabled.0

To set the LDAP server state to enabled to authenticate LDAP users, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapEnabled.0 i 1

To view the LDAP server IP address, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapServerIP.0

To set the LDAP server IP address, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapServerIP.0 a ipaddress

To view the LDAP server port number, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapPortNumber.0

To set the LDAP server port number, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapPortNumber.0 i 389

To view the LDAP server Distinguished Name, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapBindDn.0

To set the LDAP server Distinguished Name, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapBindDn.0 s ou=people,ou=sales,dc=sun,dc=com

To view the LDAP server password, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapBindPassword.0

To set the LDAP server password, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapBindPassword.0 s password

To view the branch of your LDAP server on which user searches are made, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSearchBase.0

To set the branch of your LDAP server on which to search for users, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSearchBase.0 s ldap_server_branch

To view the LDAP server default role, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapDefaultRoles.0

To set the LDAP server default role to Administrator, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapDefaultRoles.0 s administrator

ILOM for LDAP MIB Objects

The following MIB objects, values, and types are valid for ILOM for LDAP settings.

TABLE 4-10 Valid MIB Objects, Values, and Types for LDAP Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlLdap Enabled`	Specifies whether the LDAP client is enabled.	`true(1),` `false(2)`	Integer	false
`ilomCtrlLdap ServerIP`	The IP address of the LDAP server used as a name service for user accounts.	ipaddress	String	None
`ilomCtrlLdap PortNumber`	Specifies the port number for the LDAP client.	Range: 0..65535	Integer	389
`ilomCtrlLdap BindDn`	The Distinguished Name (DN) for the read-only proxy user used to bind to the LDAP server. For example: cn=proxyuser,ou=people,dc=sun,dc=com"	distinguished_name	String	None
`ilomCtrlLdap BindPassword`	The password of a read-only proxy user which is used to bind to the LDAP server. This property is essentially write-only. The write-only access level is no longer supported as of SNMPv2. This property must return a null value when read.	password	String	None
`ilomCtrlLdap SearchBase`	A search base in the LDAP database below which to find users. For example: “ou=people,dc=sun,dc=com"	The branch of your LDAP server on which to search for users	String	None
`ilomCtrlLdap DefaultRoles`	Specifies the role that a user authenticated via LDAP should have. This property supports the legacy roles of ’Administrator’ or ’Operator’, or any of the individual role ID combinations of ’a’, ’u’, ’c’, ’r’, ’o’ and ’s’. For example, ‘aucros’, where a=admin, u=user, c=console, r=reset, o=read-only, and s=service.	`administrator,` `operator,` `admin(a),` `user(u),` `console(c),` `reset(r),` `read-only(o),` `service(s)`	String	None

Configuring ILOM for LDAP/SSL

Topics
Description	Links
Configure LDAP/SSL settings	Configure LDAP/SSL Settings View and Configure LDAP/SSL Certificate Settings View and Configure LDAP/SSL Administrator Groups Settings View and Configure LDAP/SSL Operator Groups Settings View and Configure LDAP/SSL Custom Groups Settings View and Configure LDAP/SSL User Domain Settings View and Configure LDAP/SSL Alternate Server Settings

Configure LDAP/SSL Settings

Note - You can use the get and set commands to configure the LDAP/SSL settings. For a description of the MIB objects used in this procedure, see LDAP/SSL MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To set the LDAP/SSL state to Enabled to authenticate LDAP/SSL users, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslEnabled.0 i 1

To set the LDAP/SSL IP address, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslIP.0 a ipaddress

To set the LDAP/SSL port number, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslPortNumber.0 i portnumber

To set the LDAP/SSL default user role, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslDefaultRoles.0 s operator

To set the LDAP/SSL certificate file URI, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslCertFileURI.0 s URI

To set the LDAP/SSL timeout, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslTimeout.0 i 6

To set the LDAP/SSL strict certificate enabled value, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslStrictCertEnabled.0 s true

To set the LDAP/SSL certificate file status, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslCertFileStatus.0 s status

To set the LDAP/SSL log detail value to medium, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslLogDetail.0 i 3

LDAP/SSL MIB Objects

The following MIB objects, values, and types are valid for LDAP/SSL settings.

TABLE 4-11 Valid MIB Objects, Values, and Types (Global Variables) for LDAP/SSL Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlLdapSslEnabled`	Specifies whether or not the LDAP/SSL client is enabled.	`true(1),` `false(2)`	Integer	true
`ilomCtrlLdapSslIP`	The IP address of the LDAP/SSL server used as a directory service for user accounts.	ipaddress	String	None
`ilomCtrlLdapSslPort` `Number`	Specifies the port number for the LDAP/SSL client. Specifying 0 as the port means auto-select while specifying 1-65535 configures the actual port value.	portnumber (range: 0 to 65535)	Integer	389
`ilomCtrlLdapSslDefault` `Roles`	Specifies the role that a user authenticated via LDAP/SSL should have. Setting this property to legacy roles of ’Administrator’ or ’Operator’, or any of the individual role IDs of ’a’, ’u’, ’c’, ’r’, ’o’ and ’s’ will cause the LDAP/SSL client to ignore the schema stored on the LDAP server. Setting this object to ’none’ clears the value and indicates that the native LDAP/SSL schema should be used. The individual role IDs can be joined together in any combination of two or more roles. For example, this object can be set to ’aucros’, where a=admin, u=user, c=console, r=reset, o=read-only, and s=service.	`administrator,` `operator,` `admin(a),` `user(u),` `console(c),` `reset(r),` `read-only(o),` `service(s),` `none`	String	None
`ilomCtrlLdapSslCertFile` `URI`	The TFTP URI of the LDAP/SSL server’s certificate file that should be uploaded in order to perform certificate validation. Setting the URI causes the transfer of the specified file, making the certificate available immediately for certificate authentication. The server certificate file is needed when Strict Certificate Mode is enabled. Additionally, either `remove` or `restore` are supported for direct certificate manipulation.	URI	String	None
`ilomCtrlLdapSsl Timeout`	Specifies the number of seconds to wait before timing out if the LDAP/SSL server is not responding.	Range: 1 to 20	Integer	4
`ilomCtrlLdapSslStrict CertEnabled`	Specifies whether or not the Strict Certificate Mode is enabled for the LDAP/SSL Client. If enabled, the LDAP/SSL server’s certificate must be uploaded to the SP so that certificate validation can be performed when communicating with the LDAP/SSL server.	`true(1),` `false(2)`	Integer	true
`ilomCtrlLdapSslCertFile Status`	A string indicating the status of the certificate file. This is useful in determining whether a certificate file is present or not.	status (maximum size: 255 characters)	String	None
`ilomCtrlLdapSsl LogDetail`	Controls the amount of messages sent to the event log. The high priority has the least number of messages going to the log, while the lowest priority ’trace’ has the most messages logged. When this object is set to `none`, no messages are logged.	`none(1),` `high(2),` `medium(3),` `low(4),` `trace(5)`	Integer	None

View and Configure LDAP/SSL Certificate Settings

Note - You can use the get and set commands to view and configure LDAP/SSL certificate settings. For a description of the MIB objects used in these commands, see the SUN-ILOM-CONTROL-MIB.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To clear the certificate information associated with the server when it is set to true, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslCertFileClear.0 i 0

To view the certificate version of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslCertFileVersion.0

To view the serial number of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslCertFileSerialNo.0

To view the issuer of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslCertFileIssuer.0

To view the subject of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslCertFileSubject.0

To view the valid start date of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslCertFileValidBegin.0

To view the valid end date of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslCertFileValidEnd.0

View and Configure LDAP/SSL Administrator Groups Settings

Note - You can use the get and set commands to configure the LDAP/SSL Administrator Groups settings. For a description of the MIB objects used in this procedure, see LDAP/SSL Administrator Groups MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To view the name of LDAP/SSL administrator group ID number 3, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslAdminGroupName.3
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslAdminGroupName.3 = STRING: CN=SpSuperAdmin,OU=Groups,DC=davidc,DC=example,DC=sun,DC=com

To set the name of LDAP/SSL administrator group ID number 3 to CN=SpSuperAdmin,OU=Groups,DC=tomp,DC=example,DC=sun,DC=com, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslAdminGroupName.3 s CN=SpSuperAdmin,OU=Groups,DC=tomp,DC=example,DC=sun,DC=com
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslAdminGroupName.3 = STRING: CN=SpSuperAdmin,OU=Groups,DC=tomp,DC=example,DC=sun,DC=com
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslAdminGroupName.3
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslAdminGroupName.3 = STRING: CN=SpSuperAdmin,OU=Groups,DC=tomp,DC=example,DC=sun,DC=com

LDAP/SSL Administrator Groups MIB Objects

The following MIB objects, values, and types are valid for LDAP/SSL Administrator Groups settings.

TABLE 4-12 Valid MIB Objects, Values, and Types for LDAP/SSL Administrator Groups Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlLdap` `SslAdminGroup` `Id`	An integer identifier of the LDAP/SSL AdminGroup entry.	1 to 5 Note - This object is not accessible for reading or writing.	Integer	None
`ilomCtrlLdap` `SslAdminGroup` `Name`	This string should contain a Distinguished Name that exactly matches one of the group names on the LDAP/SSL server. Any user belonging to one of these groups in this table will be assigned the ILOM role of Administrator.	name (maximum of 255 characters)	String	None

View and Configure LDAP/SSL Operator Groups Settings

Note - You can use the get and set commands to configure the LDAP/SSL Operator Groups settings. For a description of the MIB objects used in this procedure, see LDAP/SSL Operator Groups MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To view the name of LDAP/SSL operator group ID number 3, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslOperatorGroupName.3

SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslOperatorGroupName.3 = STRING: CN=SpSuperOper,OU=Groups,DC=davidc,DC=example,DC=sun,DC=com

To set the name of Active Directory operator group ID number 3 to CN=SpSuperAdmin,OU=Groups,DC=tomp,DC=example,DC=sun,DC=com, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslOperatorGroupName.3 s CN=SpSuperOper,OU=Groups,DC=tomp,DC=example,DC=sun,DC=com
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslOperatorGroupName.3 = STRING: CN=SpSuperOper,OU=Groups,DC=tomp,DC=example,DC=sun,DC=com
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslOperatorGroupName.3
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslOperatorGroupName.3 = STRING: CN=SpSuperOper,OU=Groups,DC=tomp,DC=example,DC=sun,DC=com

LDAP/SSL Operator Groups MIB Objects

The following MIB objects, values, and types are valid for LDAP/SSL Operator Groups settings.

TABLE 4-13 Valid MIB Objects, Values, and Types for LDAP/SSL Operator Groups Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlLdapSslOperatorGroupId`	An integer identifier of the LDAP/SSL Operator Group entry.	1 to 5 Note - This object is not accessible for reading or writing.	Integer	None
`ilomCtrlLdapSslOperatorGroup` `Name`	This string should contain a Distinguished Name that exactly matches one of the group names on the LDAP/SSL server. Any user belonging to one of these groups in this table will be assigned the ILOM role of Operator.	name (maximum of 255 characters)	String	None

View and Configure LDAP/SSL Custom Groups Settings

Note - You can use the get and set commands to configure the LDAP/SSL Custom Groups settings. For a description of the MIB objects used in this procedure, see LDAP/SSL Custom Groups MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To view the name of LDAP/SSL custom group ID number 2, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslCustomGroupName.2
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslCustomGroupName.2 = STRING: CN=SpSuperCust,OU=Groups,DC=johns,DC=sun,DC=com

To set the name of LDAP/SSL custom group ID number 2 to CN=SpSuperCust,OU=Groups,DC=bills,DC=sun,DC=com, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslCustomGroupName.2 s CN=SpSuperCust,OU=Groups,DC=bills,DC=sun,DC=com
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslCustomGroupName.2 = STRING: CN=SpSuperCust,OU=Groups,DC=bills,DC=sun,DC=com
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslCustomGroupName.2
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslCustomGroupName.2 = STRING: CN=SpSuperCust,OU=Groups,DC=bills,DC=sun,DC=com

To view the roles of LDAP/SSL custom group ID number 2, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslCustomGroupRoles.2
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslCustomGroupRoles.2 = STRING: “aucro"

To set the roles of LDAP/SSL custom group ID number 2 to User Management and Read Only (u,o), type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslCustomGroupRoles.2 s “uo"
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslCustomGroupRoles.2 = STRING: "uo"
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslCustomGroupRoles.2
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslCustomGroupRoles.2 = STRING: "uo"

LDAP/SSL Custom Groups MIB Objects

The following MIB objects, values, and types are valid LDAP/SSL Custom Groups settings.

TABLE 4-14 Valid MIB Objects, Values, and Types for LDAP/SSL Custom Groups Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlLdapSslCustomGroupId`	An integer identifier of the LDAP/SSL custom group entry.	1 to 5 Note - This object is not accessible for reading or writing.	Integer	None
`ilomCtrlLdap SslCustomGroup Name`	This string should contain a Distinguished Name that exactly matches one of the group names on the LDAP/SSL server. Any user belonging to one of these groups in this table will be assigned the ILOM role based on the entry’s configuration for roles.	name (maximum of 255 characters)	String	None
`ilomCtrlLdap SslCustomGroup Roles`	Specifies the role that a user authenticated via LDAP/SSL should have. Setting this property to legacy roles of ’Administrator’ or ’Operator’, or any of the individual role IDs of ’a’, ’u’, ’c’, ’r’, ’o’ and ’s’ will cause the LDAP/SSL client to ignore the schema stored on the LDAP/SSL server. Setting this object to ’none’ clears the value and indicates that the native LDAP/SSL schema should be used. The role IDs can be joined together. For example, ’aucros,’ where a=admin, u=user, c=console, r=reset, o=read-only, and s=service.	`administrator,` `operator,` `admin(a),` `user(u),` `console(c),` `reset(r),` `read-only(o),` `service(s),` `none`	String	None

View and Configure LDAP/SSL User Domain Settings

Note - You can use the get and set commands to configure the LDAP/SSL User Domain settings. For a description of the MIB objects used in this procedure, see LDAP/SSL User Domain MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To view the name of LDAP/SSL user domain ID number 3, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslUserDomain.3
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslUserDomain.3 = STRING: CN=<USERNAME>,CN=Users,DC=davidc,DC=example,DC=sun,DC=com

To set the name of LDAP/SSL user domain ID number 3 to CN=<USERNAME>, CN=Users,DC=tomp,DC=example,DC=sun,DC=com, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslUserDomain.3 s CN=<USERNAME>,CN=Users,DC=tomp,DC=example,DC=sun,DC=com
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslUserDomain.3 = STRING: CN=<USERNAME>,CN=Users,DC=tomp,DC=example,DC=sun,DC=com
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslUserDomain.3
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslUserDomain.3 = STRING: CN=<USERNAME>,CN=Users,DC=tomp,DC=example,DC=sun,DC=com

LDAP/SSL User Domain MIB Objects

The following MIB objects, values, and types are valid for LDAP/SSL User Domain settings.

TABLE 4-15 Valid MIB Objects, Values, and Types for LDAP/SSL User Domain Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlLdapSslUserDomainId`	An integer identifier of the LDAP/SSL domain.	1 to 5 Note - This object is not accessible for reading or writing.	Integer	None
`ilomCtrlLdapSslUserDomain`	This string should match exactly with an authentication domain on the LDAP/SSL server. This string should contain a substitution string (<USERNAME>), which will be replaced with the user’s login name during authentication. Either the principle or Distinguished Name format is allowed.	name (maximum of 255 characters)	String	None

View and Configure LDAP/SSL Alternate Server Settings

Note - You can use the get and set commands to configure the LDAP/SSL Alternate Server settings. For a description of the MIB objects used in this procedure, see LDAP/SSL Alternate Server MIB Objects and the SUN-ILOM-CONTROL MIB.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To view the IP address of LDAP/SSL alternate server ID number 3, type:

% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslAlternateServerIp.3
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslAlternateServerIp.3 = IpAddress: 10.7.143.236

To set the IP address of LDAP/SSL alternate server ID number 3 to 10.7.143.246, type:

% snmpset -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslAlternateServerIp.3 a 10.7.143.246
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslAlternateServerIp.3 = IpAddress: 10.7.143.246
% snmpget -v1 -cprivate -mALL SNMP_agent_ipaddress ilomCtrlLdapSslAlternateServerIp.3
SUN-ILOM-CONTROL-MIB::ilomCtrlLdapSslAlternateServerIp.3 = IpAddress: 10.7.143.246

To view and clear the certificate information associated with the alternate server when it is set to true, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslAlternateServerCertClear.0
% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslAlternateServerCertClear.0 i 0

To view the alternate server certificate version of the certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslAlternateServerCertVersion.0

To view the serial number of the alternate server certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslAlternateServerCertSerialNo.0

To view the issuer of the alternate server certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslAlternateServerCertIssuer.0

To view the subject of the alternate server certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslAlternateServerCertSubject.0

To view the valid start date of the alternate server certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslAlternateServerCertValidBegin.0

To view the valid end date of the alternate server certificate file, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlLdapSslAlternateServerCertValidEnd.0

LDAP/SSL Alternate Server MIB Objects

The following MIB objects, values, and types are valid for LDAP/SSL Alternate Server settings.

TABLE 4-16 Valid MIB Objects, Values, and Types for LDAP/SSL Alternate Server Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlLdapSslAlternateServerId`	An integer identifier of the LDAP/SSL alternate server table.	1 to 5 Note - This object is not accessible for reading or writing.	Integer	None
`ilomCtrlLdapSslAlternateServerIP`	The IP address of the LDAP/SSL alternate server used as directory server for user accounts.	ipaddress	String	None
`ilomCtrlLdapSslAlternateServerPort`	Specifies the port number for the LDAP/SSL alternate server. Specifying zero as the port indicates that auto-select will use the well known port number. Specifying 1-65535 is used to explicitly set the port number.	portnumber (range: 0 to 65535)	Integer	None
`ilomCtrlLdapSslAlternateServerCert` `Status`	A string indicating the status of the certificate file. This is useful in determining whether a certificate file is present or not.	status (maximum size: 255 characters)	Sting	None
`ilomCtrlLdapSslAlternateServerCert` `URI`	This is the URI of a certificate file needed when Strict Certificate Mode is enabled. Setting the URI causes the transfer of the file, making the certificate available immediately for certificate authentication. Additionally, either `remove` or `restore` are supported for direct certificate manipulation.	URI	String	None

Configuring RADIUS Settings

Topics
Description	Links
Configure ILOM for LDAP	Configure RADIUS Settings

Configure RADIUS Settings

Note - Before completing this procedure, collect the appropriate information about your RADIUS environment. You can use the get and set commands to configure RADIUS. For a description of the MIB objects used in this procedure, see RADIUS MIB Objects.

1. Log in to a host that has an SNMP tool and the ILOM MIBs installed. For example, type:

ssh username@snmp_manager_ipaddress

Password: password

2. Refer to the following SNMP command examples:

To view whether the RADIUS server is enabled to authenticate RADIUS users, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRadiusEnabled.0

To set the RADIUS server state to Enabled to authenticate RADIUS users, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRadiusEnabled.0 i 1

To view the RADIUS server IP address, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRadiusServerIP.0

To set the RADIUS server IP address, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRadiusServerIP.0 a ipaddress

To view the RADIUS server port number, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRadiusPortNumber.0

To set the RADIUS server port number, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRadiusPortNumber.0 i portnumber

To view the RADIUS server shared secret, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRadiusSecret.0

To set the RADIUS server shared secret, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRadiusSecret.0 s secret

To view the RADIUS server default user roles, type:

% snmpget -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRadiusDefaultRoles.0

To set the RADIUS server default user roles to console, type:

% snmpset -mALL -v2c -cprivate SNMP_agent_ipaddress ilomCtrlRadiusDefaultRoles.0 s c

RADIUS MIB Objects

The following MIB objects, values, and types are valid for RADIUS settings.

TABLE 4-17 Valid MIB Objects, Values, and Types for RADIUS Settings
MIB Object	Description	Allowed Values	Type	Default
`ilomCtrlRadiusEnabled`	Specifies whether or not the RADIUS client is enabled.	`true(1),` `false(2)`	Integer	false
`ilomCtrlRadiusServerIP`	The IP address of the RADIUS server used as a name service for user accounts.	ipaddress	String	None
`ilomCtrlRadius` `PortNumber`	Specifies the port number for the RADIUS client.	portnumber (range: 0 to 65535)	Integer	1812
`ilomCtrlRadius` `Secret`	The shared secret encryption key that is used to encypt traffic between the RADIUS client and server.	secret (maximum length: 255 characters)	Sting	None
`ilomCtrlRadius` `DefaultRoles`	Specifies the role that a user authenticated via RADIUS should have. This property supports the legacy roles of ’Administrator’ or ’Operator’, or any of the individual role ID combinations of ’a’, ’u’, ’c’, ’r’, ’o’ and ’s’. For example, ‘aucro’, where a=admin, u=user, c=console, r=reset, o=read-only, and s=service.	`administrator,` `operator,` `admin(a),` `user(u),` `console(c),` `reset(r),` `read-only(o),` `service(s)`	String	None